SOLVED Boot Ubuntu 20.04.3 UEFI + Preseed = Error cannot verify [...] certificate issued by CN=FOG Server CA

  • Hi there.

    First i need to thanks all team,devs and enthousiats volounteers participating and helping this great project.

    I managed to boot Ubuntu 20.04.3 via NFS/HTTPS with UEFI (BTRFS + apt-btrfs-snapshots) (LUKS OR NOT) with a fully automated preseed/

    Here are the files :

    The menu :

    kernel tftp://${fog-ip}/os/ubuntu/20.04D/vmlinuz
    initrd tftp://${fog-ip}/os/ubuntu/20.04D/initrd
    imgargs vmlinuz initrd=initrd root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/images/os/ubuntu/ locale=fr_FR.UTF-8 net.ifnames=0 biosdevname=0 ipv6.disable=1 keyboard-configuration/layoutcode=fr ip=dhcp rw hostname=DEPLOYX-ATD automatic-ubiquity url=http://${fog-ip}/autoinstall/ubuntu/ubiseed_20_nvme.cfg debian-installer/allow_unauthenticated_ssl=true DEBCONF_DEBUG=5
    boot || goto MENU

    The Preseed

    # Scripté par votre serviteur Val durant un apres-midi de printemps.
    # version 0.8
    # TODO 
    # Il s'agit d'automatiser une installation d' Uuntu 20.04.2 Desktop à destination des desktops et laptops du mouvement.
    # Certaines informations manquent et des tests sont en cour.
    # On pourrait utiliser Packer , Vagrant, Ansible , toussa mais pour le moment on fait un preseed assez simple sans jonction à l'AD mais avec les
    # paquets qui vont bien.
    # On pourrait aussi utiliser autoinstall du cloud-init en yaml mais c'est compatible uniquement avec la version server . Pourquoi ? je n'en ai absolument aucune idée.
    # À terme nous prevoyons deux autres preseed apres des tests: 
    # Un pour des laptop (chiffrement luks)  avec/sans jonction AD
    # Un pour machines virtuelles avec jonction AD
    # Enjoy ! 
    # À partir du moment ou le preseed est lu on peut directement executer une commande
    # This first command is run as early as possible, just after
    # preseeding is read.
    #d-i preseed/early_command string anna-install some-udeb
    ### Unattended Installation
    d-i auto-install/enable boolean true
    d-i debconf/priority select critical
    # 1 - ### Localization
    # Preseeding only locale sets language, country and locale.
    # On setup la locale qui s'occupe de language, country and locale.
    d-i debian-installer/locale string fr_FR.UTF-8
    d-i localechooser/supported-locales multiselect fr_FR.UTF-8
    # Keyboard selection.
    # Disable automatic (interactive) keymap detection.
    d-i console-setup/ask_detect boolean false
    d-i keyboard-configuration/xkb-keymap select fr
    # 2 -  ### Network configuration
    # On active la conf reseau bah oui on est en pxe les copains. Il faut que la plage IP et les DNS soient good !
    d-i netcfg/enable boolean true
    # netcfg will choose an interface that has link if possible. This makes it
    # skip displaying a list if there is more than one interface.
    d-i netcfg/choose_interface select eth1
    # À tricker au cas ou la conf auto ne passe pas.
    # To set a different link detection timeout (default is 3 seconds).
    # Values are interpreted as seconds.
    d-i netcfg/link_wait_timeout string 10
    # En cas de DHCP molasson on definit un timeout (en secondes) 
    #d-i netcfg/dhcp_timeout string 60
    #d-i netcfg/dhcpv6_timeout string 60
    # If you prefer to configure the network manually, uncomment this line and
    # the static network configuration below.
    #d-i netcfg/disable_autoconfig boolean true
    # If you want the preconfiguration file to work on systems both with and
    # without a dhcp server, uncomment these lines and the static network
    # configuration below.
    #d-i netcfg/dhcp_failed note
    #d-i netcfg/dhcp_options select Configure network manually
    # Static network configuration.
    # IPv4 example
    #d-i netcfg/get_ipaddress string
    #d-i netcfg/get_netmask string
    #d-i netcfg/get_gateway string
    #d-i netcfg/get_nameservers string
    #d-i netcfg/confirm_static boolean true
    # IPv6 example
    #d-i netcfg/get_ipaddress string fc00::2
    #d-i netcfg/get_netmask string ffff:ffff:ffff:ffff::
    #d-i netcfg/get_gateway string fc00::1
    #d-i netcfg/get_nameservers string fc00::1
    #d-i netcfg/confirm_static boolean true
    # Any hostname and domain names assigned from dhcp take precedence over
    # values set here. However, setting the values still prevents the questions
    # from being shown, even if values come from dhcp.
    d-i netcfg/get_hostname string DEPLOYX-ATD
    #d-i netcfg/get_domain string unassigned-domain
    d-i netcfg/get_domain string
    # If you want to force a hostname, regardless of what either the DHCP
    # server returns or what the reverse DNS entry for the IP is, uncomment
    # and adjust the following line.
    #d-i netcfg/hostname string somehost
    # Disable that annoying WEP key dialog.
    d-i netcfg/wireless_wep string
    # The wacky dhcp hostname that some ISPs use as a password of sorts.
    #d-i netcfg/dhcp_hostname string radish
    # If non-free firmware is needed for the network or other hardware, you can
    # configure the installer to always try to load it, without prompting. Or
    # change to false to disable asking.
    # Cette directive est à adapter selon les experiences rencontrées avec le hardware du parc.
    d-i hw-detect/load_firmware boolean false
    ### Network console
    # Use the following settings if you wish to make use of the network-console
    # component for remote installation over SSH. This only makes sense if you
    # intend to perform the remainder of the installation manually.
    #d-i anna/choose_modules string network-console
    #d-i network-console/authorized_keys_url string
    #d-i network-console/password password r00tme
    #d-i network-console/password-again password r00tme
    # Use this instead if you prefer to use key-based authentication
    #d-i network-console/authorized_keys_url http://host/authorized_keys
    # 3 -### Mirror settings
    # If you select ftp, the mirror/country string does not need to be set.
    #d-i mirror/protocol string ftp
    #d-i mirror/country string france
    #d-i mirror/http/hostname string
    #d-i mirror/http/directory string /ubuntu
    #d-i mirror/http/proxy string
    ### Lorsque notre apt -cacher-ng sera installé precisez l'addresse ici.
    #d-i mirror/http/proxy string https://apt-cacher-ng:3184/
    # Alternatively: by default, the installer uses where
    # CC is the ISO-3166-2 code for the selected country. You can preseed this
    # so that it does so without asking.
    # On utilise le depot par defaut en FR
    d-i mirror/http/mirror select
    # Suite to install.
    # TODO Incomprehensible que les dev d'ubuntu n'aient pas updaté cette valeur stretch pour la 20.04 ?
    #d-i mirror/suite string focal
    # Suite to use for loading installer components (optional).
    #d-i mirror/udeb/suite string focal
    # Components to use for loading installer components (optional).
    # On balance les depots universe et multiverse en plus pour que notre preseed sache ou aller taper.
    d-i mirror/udeb/components multiselect main, restricted, universe, multiverse
    # 5 - ### Account setup
    ### Account setup
    # Skip creation of a root account (normal user account will be able to
    # use sudo). The default is false; preseed this to true if you want to set
    # a root password.
    d-i passwd/root-login boolean false
    # Alternatively, to skip creation of a normal user account.
    d-i passwd/make-user boolean true
    # Root password, either in clear text
    #d-i passwd/root-password password r00tme
    #d-i passwd/root-password-again password r00tme
    # or encrypted using a crypt(3)  hash.
    #d-i passwd/root-password-crypted password [crypt(3) hash]
    # Nous specifions le local admin pour acces à l'interface graphique en cas de depannage sans A.D (SSSD)
    # To create a normal user account.
    d-i passwd/user-fullname string admin6
    d-i passwd/username string admin6
    d-i passwd/user-uid string 980
    # Normal user's password, either in clear text
    #d-i passwd/user-password password insecure
    #d-i passwd/user-password-again password insecure
    # or encrypted using a crypt(3) hash.
    #d-i passwd/user-password-crypted password [crypt(3) hash]
    d-i passwd/user-password-crypted password $6$1SJtgvACAbAK$RbIwXeRozK7OWXxYvFiHYJphPoRtbbouXjM2XtTf0UZZyZcFx4boNg2B0BGZl0b8LqecuhnaXPX8apyRuxxmG/
    # Create the first user with the specified UID instead of the default.
    # On cree un user sous le GID 1000 afin qu'il n'apparaisse pas dans gdm.
    #d-i passwd/user-uid string 888
    # The installer will warn about weak passwords. If you are sure you know
    # what you're doing and want to override it, uncomment this.
    d-i user-setup/allow-password-weak boolean true
    # The user account will be added to some standard initial groups. To
    # override that, use this.
    # On ajoute l'user à netdev et sudo juste comme ça pour le fun.
    d-i passwd/user-default-groups string audio cdrom video netdev sudo users lpadmin
    # Set to true if you want to encrypt the first user's home directory.
    # TODO on test mais on y croit pas . 
    d-i user-setup/encrypt-home boolean false
    ### Clock and time zone setup
    # Controls whether or not the hardware clock is set to UTC.
    d-i clock-setup/utc boolean true
    # You may set this to any valid setting for $TZ; see the contents of
    # /usr/share/zoneinfo/ for valid values.
    d-i time/zone string Europe/Paris
    # Controls whether to use NTP to set the clock during the install
    d-i clock-setup/ntp boolean true
    # NTP server to use. The default is almost always fine here.
    # TODO trouver le ntp qui va bien.
    d-i clock-setup/ntp-server string server
    ### i386 specific disk storage
    # Activate DASD disks
    #d-i s390-dasd/dasd string 0.0.0200,0.0.0300,0.0.0400
    # DASD configuration; by default dasdfmt (low-level format) if needed
    #d-i s390-dasd/auto-format boolean true
    #d-i s390-dasd/force-format boolean true
    # zFCP activation and configuration
    # d-i s390-zfcp/zfcp string 0.0.1b34:0x400870075678a1b2:0x201480c800000000, \
    #                           0.0.1b34:0x400870075679a1b2:0x201480c800000000
    # 5 - Partitionnement
    # This command is run immediately before the partitioner starts. It may be
    # useful to apply dynamic partitioner preseeding that depends on the state
    # of the disks (which may not be visible when preseed/early_command runs).
    #d-i partman/early_command \
    #       string debconf-set partman-auto/disk "$(list-devices disk | head -n1)"
    #d-i partman/early_command \
    #       string sgdisk -Z /dev/vda
    ## Partitioning example
    # If the system has free space you can choose to only partition that space.
    # This is only honoured if partman-auto/method (below) is not set.
    # Alternatives: custom, some_device, some_device_crypto, some_device_lvm.
    #d-i partman-auto/init_automatically_partition select biggest_free
    # Alternatively, you may specify a disk to partition. If the system has only
    # one disk the installer will default to using that, but otherwise the device
    # name must be given in traditional, non-devfs format (so e.g. /dev/sda
    # and not e.g. /dev/discs/disc0/disc).
    # For example, to use the first SCSI/SATA hard disk:
    #d-i partman-auto/disk string /dev/sda
    # In addition, you'll need to specify the method to use.
    # The presently available methods are:
    # - regular: use the usual partition types for your architecture
    # - lvm:     use LVM to partition the disk
    # - crypto:  use LVM within an encrypted partition
    d-i partman-auto/method string regular
    # If one of the disks that are going to be automatically partitioned
    # contains an old LVM configuration, the user will normally receive a
    # warning. This can be preseeded away...
    # Si il y a deja un lvm dans le cadre d'une reinstallation on vire les avertissements et on ecrase ! 
    d-i partman-lvm/device_remove_lvm boolean true
    # The same applies to pre-existing software RAID array:
    #d-i partman-md/device_remove_md boolean true
    # And the same goes for the confirmation to write the lvm partitions.
    #d-i partman-lvm/confirm boolean true
    #d-i partman-lvm/confirm_nooverwrite boolean true
    # For LVM partitioning, you can select how much of the volume group to use
    # for logical volumes.
    #d-i partman-auto-lvm/guided_size string max
    #d-i partman-auto-lvm/guided_size string 99%
    #d-i partman-auto-lvm/guided_size string 50%
    # You can choose one of the three predefined partitioning recipes:
    # - atomic: all files in one partition
    # - home:   separate /home partition
    # - multi:  separate /home, /var, and /tmp partitions
    # Est-ce judicieux de separer le home ? Etant donné qu'on utilise le btrfs il gere lui-meme les subvolume donc pas besoin de multiplier les partitions btrfs.
    # Nous ne separons pas le home
    #d-i partman-auto/choose_recipe select atomic
    # Or provide a recipe of your own...
    # If you have a way to get a recipe file into the d-i environment, you can
    # just point at it.
    #d-i partman-auto/expert_recipe_file string /hd-media/recipe
    # If not, you can put an entire recipe into the preconfiguration file in one
    # (logical) line. This example creates a small /boot partition, suitable
    # swap, and uses the rest of the space for the root partition:
    d-i partman-auto/expert_recipe string                         \
          boot-root ::                                            \
                  512 50 512 fat32                                  \
                          $primary{ } $bootable{ }                \
                          method{ efi } format{ }              \
                          mountpoint{ /boot/efi }                     \
                  .                                               \
                  500 10000 1000000000 btrfs                       \
                          method{ format } format{ }              \
                          use_filesystem{ } filesystem{ btrfs }    \
                          mountpoint{ / }                         \
                  .                                               \
                  8192 80 9000 linux-swap                          \
                          method{ swap } format{ }                \
    # If you just want to change the default filesystem from ext3 to something
    # else, you can do that without providing a full recipe.
    # On choisit le systeme de fichier par default. Le btrfs c'est bien.
    #d-i partman/default_filesystem string btrfs
    # The full recipe format is documented in the file partman-auto-recipe.txt
    # included in the 'debian-installer' package or available from D-I source
    # repository. This also documents how to specify settings such as file
    # system labels, volume group names and which physical devices to include
    # in a volume group.
    # This makes partman automatically partition without confirmation, provided
    # that you told it what to do using one of the methods above.
    # Encore des confirmations sur le partitionnement
    d-i partman-partitioning/confirm_write_new_label boolean true
    d-i partman/choose_partition select finish
    d-i partman/confirm boolean true
    d-i partman/confirm_nooverwrite boolean true
    ## Partitioning using RAID
    # The method should be set to "raid".
    #d-i partman-auto/method string raid
    # Specify the disks to be partitioned. They will all get the same layout,
    # so this will only work if the disks are the same size.
    d-i partman-auto/disk string /dev/nvme0n1
    # included in the 'debian-installer' package or available from D-I source
    # repository.
    # This makes partman automatically partition without confirmation.
    ## Controlling how partitions are mounted
    # The default is to mount by UUID, but you can also choose "traditional" to
    # use traditional device names, or "label" to try filesystem labels before
    # falling back to UUIDs.
    #d-i partman/mount_style select uuid
    ### Base system installation
    # Configure a path to the preconfigured base filesystem. This can be used to
    # specify a path for the installer to retrieve the filesystem image that will
    # be deployed to disk and used as a base system for the installation.
    d-i live-installer/net-image string /install/filesystem.squashfs
    # Configure APT to not install recommended packages by default. Use of this
    # option can result in an incomplete system and should only be used by very
    # experienced users.
    #d-i base-installer/install-recommends boolean false
    # The kernel image (meta) package to be installed; "none" can be used if no
    # kernel is to be installed.
    #d-i base-installer/kernel/image string linux-generic
    ### Apt setup
    # You can choose to install restricted and universe software, or to install
    # software from the backports repository.
    d-i apt-setup/restricted boolean true
    d-i apt-setup/universe boolean true
    d-i apt-setup/multiverse boolean true
    d-i apt-setup/backports boolean true
    # Uncomment this if you don't want to use a network mirror.
    #d-i apt-setup/use_mirror boolean false
    # Select which update services to use; define the mirrors to be used.
    # Values shown below are the normal defaults.
    d-i apt-setup/services-select multiselect security
    d-i apt-setup/security_host string
    d-i apt-setup/security_path string /ubuntu
    # Additional repositories, local[0-9] available
    #On va preciser notre apt-cacher -ng qui a la meme addresse que notre FOG 0.200
    #d-i apt-setup/local0/repository string \
    #       http://local.server/ubuntu stretch main
    #d-i apt-setup/local0/comment string local server
    # Enable deb-src lines
    #d-i apt-setup/local0/source boolean true
    # URL to the public key of the local repository; you must provide a key or
    # apt will complain about the unauthenticated repository and so the
    # sources.list line will be left commented out
    #d-i apt-setup/local0/key string http://local.server/key
    # By default the installer requires that repositories be authenticated
    # using a known gpg key. This setting can be used to disable that
    # authentication. Warning: Insecure, not recommended.
    #d-i debian-installer/allow_unauthenticated boolean true
    # Uncomment this to add multiarch configuration for i386
    #d-i apt-setup/multiarch string i386
    ### Package selection
    #tasksel tasksel/first multiselect ubuntu-desktop
    #tasksel tasksel/first multiselect lamp-server, print-server
    #tasksel tasksel/first multiselect kubuntu-desktop
    ### On desactive totalement le module pkgsel/include car ces *** de dev d'ubiquity on viré ce module lorsqu'on installe en automatic ubiquity. Bien sur sans le documenter proprement.
    # Shame on you bande de trous de balle !
    # À la place on va utiliser ubiquity/success_command
    # Individual additional packages to install
    #d-i pkgsel/include string apt-btrfs-snapshot apt-listchanges apt-transport-https autorandr build-essential chrome-gnome-shell chromium-browser chrony curl debconf-utils gimp git gnome-shell-extensions gnome-terminal gnupg hdparm htop icc-profiles inkscape libxml2-utils libglib2.0-dev-bin libegl1-mesa libgl1-mesa-glx libxcb-xtest0 libgl1-mesa-glx libnss-sss libnss-winbind libpam-sss libxcb-dpms0 libxext6 lsb-release mpv netcat openssh-server pciutils python3.9 python3-distutils python3-distutils-extra realmd remmina samba scribus tmux ubuntu-desktop vim vlc wget x11-xserver-utils x2goclient
    # Whether to upgrade packages after debootstrap.
    # Allowed values: none, safe-upgrade, full-upgrade
    #d-i pkgsel/upgrade select full-upgrade
    # Language pack selection
    #d-i pkgsel/language-packs multiselect de, en, zh
    #d-i pkgsel/language-packs select fr
    # Policy for applying updates. May be "none" (no automatic updates),
    # "unattended-upgrades" (install security updates automatically), or
    # "landscape" (manage system with Landscape).
    #d-i pkgsel/update-policy select unattended-upgrades
    # Some versions of the installer can report back on what software you have
    # installed, and what software you use. The default is not to report back,
    # but sending reports helps the project determine what software is most
    # popular and include it on CDs.
    #popularity-contest popularity-contest/participate boolean false
    # By default, the system's locate database will be updated after the
    # installer has finished installing most packages. This may take a while, so
    # if you don't want it, you can set this to "false" to turn it off.
    #d-i pkgsel/updatedb boolean true
    ### Boot loader installation
    # Grub is the default boot loader (for x86). If you want lilo installed
    # instead, uncomment this:
    #d-i grub-installer/skip boolean true
    # To also skip installing lilo, and install no bootloader, uncomment this
    # too:
    #d-i lilo-installer/skip boolean true
    #ubiquity languagechooser/language-name string French
    #ubiquity countrychooser/shortlist string FR
    #ubiquity localechooser/supported-locales string fr_FR.UTF-8
    # This is fairly safe to set, it makes grub install automatically to the MBR
    # if no other operating system is detected on the machine.
    d-i grub-installer/only_debian boolean true
    # This one makes grub-installer install to the MBR if it also finds some other
    # OS, which is less safe as it might not be able to boot that other OS.
    #d-i grub-installer/with_other_os boolean true
    # Due notably to potential USB sticks, the location of the MBR can not be
    # determined safely in general, so this needs to be specified:
    #d-i grub-installer/bootdev  string /dev/nvme0n1
    # To install to the first device (assuming it is not a USB stick):
    d-i grub-installer/bootdev string default
    # Si l'installation ne fonctionne pas pour une raison ou pour une autre on lui demande de rebooter : 
    #ubiquity/failure_command string
    #systemctl reboot;
    #ubiquity ubiquity/success_command string
    #string ip link set up dev enp5s0;
    #dhclient enp5s0;
    #apt-get update -y;
    #in-target apt-get install -y apt-btrfs-snapshot apt-listchanges apt-transport-https autorandr build-essential chrome-gnome-shell chromium-browser chrony curl debconf-utils gimp git gnome-shell-extensions gnupg hdparm htop icc-profiles inkscape libxml2-utils libglib2.0-dev-bin libegl1-mesa libgl1-mesa-glx libxcb-xtest0 libgl1-mesa-glx libnss-sss libnss-winbind libpam-sss libxcb-dpms0 libxext6 lsb-release mpv netcat openssh-server pciutils python python3-distutils python3-distutils-extra realmd remmina samba scribus tmux unattended-upgrades vim vlc wgetx12-xserver-utils x2goclient;
    #ubiquity ubiquity/success_command string
    #'sed '2 a dhcp=dhclient2' /target/etc/NetworkManager/NetworkManager.conf';
    #echo 'yeah';
    # Alternatively, if you want to install to a location other than the mbr,
    # uncomment and edit these lines:
    #d-i grub-installer/only_debian boolean false
    #d-i grub-installer/with_other_os boolean false
    #d-i grub-installer/bootdev  string (hd0,1)
    # To install grub to multiple disks:
    #d-i grub-installer/bootdev  string (hd0,1) (hd1,1) (hd2,1)
    # Optional password for grub, either in clear text
    #d-i grub-installer/password password r00tme
    #d-i grub-installer/password-again password r00tme
    # or encrypted using an MD5 hash, see grub-md5-crypt(8).
    #d-i grub-installer/password-crypted password [MD5 hash]
    # Use the following option to add additional boot parameters for the
    # installed system (if supported by the bootloader installer).
    # Note: options passed to the installer will be added automatically.
    #d-i debian-installer/add-kernel-opts string nousb
    ### Finishing up the installation
    # During installations from serial console, the regular virtual consoles
    # (VT1-VT6) are normally disabled in /etc/inittab. Uncomment the next
    # line to prevent this.
    d-i finish-install/keep-consoles boolean true
    # Avoid that last message about the install being complete.
    d-i finish-install/reboot_in_progress note
    # Custom command si lancé avec automatic-ubiquity
    ubiquity ubiquity/success_command string \
    mkdir -p /target/home/admin6/.ssh; \
    echo 'ssh-ed25519 AAAAC3NzaC1lZDI1BV32184AAIGcgTW5wqCc0o8b4qtKjXwoIP/5Zmu/lSmuA0nNZ4uOS' >> /target/home/admin6/.ssh/authorized_keys; \
    chmod -R 700 /target/home/admin6/.ssh; \
    chmod -R 600 /target/home/admin6/.ssh/authorized_keys; \
    chown -R 1000:1000 /target/home/admin6/.ssh; \
    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config; \
    sed -i 's/#PermitRootLogin prohibit-password/#PermitRootLogin no/' /etc/ssh/sshd_config; \
    #echo 'admin6 ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers.d/99_admin6; \
    sed -i '3idhcp=dhclient' /target/etc/NetworkManager/NetworkManager.conf; \
    sed -i 's/MaxAge=90/MaxAge=7/g' /target/etc/cron.weekly/apt-btrfs-snapshot; \
    mkdir -p /target/root; \
    wget --no-check-certificate -c '' -P /target/root; \
    chmod +x /target/root/; \
    echo '@reboot root bash /root/ >> /var/log/postinstall.log 2>&1' >> /target/etc/crontab;
    #sed -i -e 's/dhcp=dhclient/#dhcp=dhclient/' /target/etc/NetworkManager/NetworkManager.conf \
    #sed -i -e 's/dns=dnsmasq/#dns=dnsmasq/' /target/etc/NetworkManager/NetworkManager.conf ;\
    #in-target apt install openssh-sftp-server;
    # This will prevent the installer from ejecting the CD during the reboot,
    # which is useful in some situations.
    d-i cdrom-detect/eject boolean true
    d-i debian-installer/splash boolean false
    d-i debian-installer/exit/poweroff boolean true
    # This is how to make the installer shutdown when finished, but not
    # reboot into the installed system.
    #d-i debian-installer/exit/halt boolean true
    # This will power off the machine instead of just halting it.
    #d-i debian-installer/exit/poweroff boolean true
    ### Preseeding other packages
    # Depending on what software you choose to install, or if things go wrong
    # during the installation process, it's possible that other questions may
    # be asked. You can preseed those too, of course. To get a list of every
    # possible question that could be asked during an install, do an
    # installation, and then run these commands:
    #   debconf-get-selections --installer > file
    #   debconf-get-selections >> file
    #### Advanced options
    ### Running custom commands during the installation
    ## i386 Preseed Example
    # d-i preseeding is inherently not secure. Nothing in the installer checks
    # for attempts at buffer overflows or other exploits of the values of a
    # preconfiguration file like this one. Only use preconfiguration files from
    # trusted locations! To drive that home, and because it's generally useful,
    # here's a way to run any shell command you'd like inside the installer,
    # automatically.
    # This command is run immediately before the partitioner starts. It may be
    # useful to apply dynamic partitioner preseeding that depends on the state
    # of the disks (which may not be visible when preseed/early_command runs).
    #d-i partman/early_command \
    #       string debconf-set partman-auto/disk "$(list-devices disk | head -n1)"
    # This command is run just before the install finishes, but when there is
    # still a usable /target directory. You can chroot to /target and use it
    # directly, or use the apt-install and in-target commands to easily install
    # packages and run commands in the target system.
    #d-i preseed/late_command string apt-install zsh; in-target chsh -s /bin/zsh

    The quite simple script :

    echo "Waiting for Internet ..."
    while ! timeout 0.2 ping -c 1 -n &> /dev/null
    	    printf "%c" "."
        echo "OK"
    # Instal The stuff
    	notify-send --expire-time=25 "Votre systeme applique son script de postinstallation"
    	apt update
    	apt install -y apt-btrfs-snapshot python3-distutils
    	apt install -y --allow-downgrades sssd-ad-common=2.2.3-3 sssd-ad=2.2.3-3 sssd-common=2.2.3-3 sssd-dbus=2.2.3-3 sssd-ipa=2.2.3-3 sssd-kcm=2.2.3-3 sssd-krb5-common=2.2.3-3 sssd-krb5=2.2.3-3 sssd-ldap=2.2.3-3 sssd-proxy=2.2.3-3 sssd-tools=2.2.3-3 sssd=2.2.3-3 libsss-idmap0=2.2.3-3 libipa-hbac0=2.2.3-3 libsss-idmap0=2.2.3-3 python3-sss=2.2.3-3
    	apt-mark hold sssd-ad-common=2.2.3-3 sssd-ad=2.2.3-3 sssd-common=2.2.3-3 sssd-dbus=2.2.3-3 sssd-ipa=2.2.3-3 sssd-kcm=2.2.3-3 sssd-krb5-common=2.2.3-3 sssd-krb5=2.2.3-3 sssd-ldap=2.2.3-3 sssd-proxy=2.2.3-3 sssd-tools=2.2.3-3 sssd=2.2.3-3 libsss-idmap0=2.2.3-3 libipa-hbac0=2.2.3-3 libsss-idmap0=2.2.3-3 python3-sss=2.2.3-3
    	apt install -y apt-listchanges apt-transport-https autorandr build-essential chrome-gnome-shell chromium-browser chrony curl debconf-utils gimp git glances gnome-shell-extensions gnupg hdparm htop icc-profiles inkscape libxml2-utils libglib2.0-dev-bin libegl1-mesa libgl1-mesa-glx libxcb-xtest0 libgl1-mesa-glx libnss-sss libnss-winbind libpam-sss libxcb-dpms0 libxext6 lsb-release mpv nautilus-nextcloud netcat nextcloud-desktop openssh-server pciutils python3.9 python3-distutils-extra realmd remmina samba scribus tmux vim vlc wget x11-xserver-utils x2goclient x2goserver
       	wget --no-check-certificate -c '' -P /etc/NetworkManager/dispatcher.d
       	systemctl disable --now cups-browsed
    	notify-send -u critical "Votre systeme va redemarrer et sera pret Enjoy !"
       	apt install -y krb5-user samba cifs-utils smbclient adcli
    # Remove from crontab
        	sed -i '$d' /etc/crontab
        	exit 0

    It worked like a charm on Debian 10.11 with FOG 1.5.9

    I tried the exact same configuration on Debian 11.2 with FOG

    I got this error on the client :

    Error cannot verify [...] certificate issued by CN=FOG Server CA

    and this in apache2 logs : - - [07/Jan/2022:10:58:05 +0100] "GET /autoinstall/ubuntu/ubiseed_20_vm.cfg HTTP/1.1" 302 563 "-" "Wget/1.20.3 (linux-gnu)"

    EDIT : Forgot to say i can DL the file from a client on the network with :

    wget --no-check-certificate

    i got :

    --2022-01-07 12:15:28--                                                                                                             
    Connexion vers connecté.                                                                                                                                                   
    AVERTISSEMENT : impossible de vérifier l'attribut du certificat, émis par «CN=FOG Server CA» :
      Récupération d'un certificat auto-signé.
    requête HTTP transmise, en attente de la réponse... 200 OK
    Taille : 26567 (26K)
    Enregistre : «ubiseed_20_vm.cfg»

    Wich means it could’nt verify the self signed attribute but however result with a 200 OK .

    I thought it can be some minor changes i need to do and looking for a clue or some good advice here.

    Thanks fellows.

    Have a nice day.

  • @george1421 : Thank you very much.

    In fact i’m used to regular pxe server and we use fog mostly for the cloning feature for windows Workstations.

    To deal with Ubuntu workstations i like to do iso booting + pxe , this way i can mix/test configurations (preseed.cfg) of installation process quickly/easily directly from our gitea.

    By the way i use fog as the main pxe server even for servers with debian based installations.

    After this part of deployment ansible is the king of the hill to do all basics/complex tasks.

    Can i modify the topic’s title with SOLVED ? Can i edit my posts to remove the domain’s informations ?


  • Moderator

    @fogman4 Your english is fine, maybe better than I. I could just read your post a few different ways since I know nothing of your setup that is why I asked. Trying to build a truth table, it wasn’t clear what changed in your environment.

    Great you found the solution because I could tell it was going to be a difficult one to debug. Well done on working out the problem!

  • @george1421 : Hi George

    Thank you for your response as always it’s fast and relevant.
    As you notice english’s not my native language i’ll try to be clear.

    1. There are 2 differents servers: old one (deb10) and new one (deb11) . I installed a fresh new Debian 11 OS on a VM to do some tests on another facility. I keep the older (debian 10) fog server on the main site.
    2. Debian 11 is the OS of the FOG server 1.5.9 119. The target comptuter is booting a ubuntu 20.04.3 iso via NFS.
    3. I’m automating installing Ubuntu 20.04.3 with (debian) preseed which works like a charm on the older server. I’m not confortable with doing image capture/deploy with ubuntu. I want to keep control over specific setting for several workstations whithout doing a capture/deploy cycle each time i do some tests.

    You’re right it’s a redirection and you know what ? I’m a complete dumbass :

    diff 001-fog.conf 001-fogm.conf
    <     ServerName
    <     ServerAlias
    >     KeepAlive Off
    >     ServerName
    >     ServerAlias
    <     RewriteEngine Off
    < #    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    < #    RewriteRule .* - [F]
    < #    RewriteRule /management/other/ca.cert.der$ - [L]
    < #    RewriteCond %{HTTPS} off
    < #    RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
    >     RewriteEngine On
    >     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    >     RewriteRule .* - [F]
    >     RewriteRule /management/other/ca.cert.der$ - [L]
    >     RewriteCond %{HTTPS} off
    >     RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
    <     ServerName
    <     ServerAlias
    >     ServerName
    >     ServerAlias
    <     SSLProtocol all -SSLv3 +TLSv1.3
    >     SSLProtocol all -SSLv3 -SSLv2

    I got the exact same problem few times ago and you and @Sebastian-Roth already helped me out !

    Right here :

    I just adapt the the apache conf of new FOG and it works perfectly ! Now i just feel stupid.

    Thank you very much and sorry for the convenience.

    Best regards.

  • Moderator

    @fogman4 While I don’t have an immediate answer for the certificate issue I see you changed 2 things.

    1. You went from fog 1.5.9 to Is that on the same fog server with no other changes to the FOG server? Or did you build a new fog server with the updated version of FOG?
    2. Is Debian 11 the OS you are using for your target computer or your FOG server?
    3. It looks like you are automating building Debian using FOG via netbooting and not FOG imaging?

    If the only thing that changed is Debian 11 (upgrading from 1.5.9 to can be ignored for the moment) I would say that Debian 11 has tighter controls on https communication where it probably needs the FOG self signed root certificated added to the trusted certificate store. That is kind of what the error is telling me assuming nothing else changed other that what you are building on the target system.

    The error message is interesting too. Error 302 is a redirect for sending the browser some place else. Also look at the very beginning of the error message. how did port 80 (HTTP) get in there? You are using https everywhere in your scripts?? - - [07/Jan/2022:10:58:05 +0100] "GET /autoinstall/ubuntu/ubiseed_20_vm.cfg HTTP/1.1" 302 563 "-" "Wget/1.20.3 (linux-gnu)"